Audit support resource wildcard matching #55306
Conversation
k8s-ci-robot
added
release-note-none
|
/assign @sttts @crassirostris |
|
/cc @CaoShuFeng |
|
/asign @ericchiang |
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
| @@ -220,8 +220,9 @@ type GroupResources struct { | |||
| // +optional | |||
| Group string | |||
| // Resources is a list of resources within the API group. Subresources are | |||
| // matched using a "/" to indicate the subresource. For example, "pods/log" | |||
| // would match request to the log subresource of pods. The top level resource | |||
| // matched using a "/" to indicate the subresource. Also "/*" can be used | |||
There was a problem hiding this comment.
Please run:
hack/update-all.sh
| @@ -163,6 +161,11 @@ func ruleMatchesResource(r *audit.PolicyRule, attrs authorizer.Attributes) bool | |||
| return true | |||
| } | |||
| } | |||
| if strings.HasSuffix(res, "/*") { | |||
| if strings.HasPrefix(resource, strings.TrimRight(res, "/*")) { | |||
There was a problem hiding this comment.
Rather than check the prefix, I think this is more safe:
attrs.GetResource() == strings.TrimRight(res, "/*")
There was a problem hiding this comment.
I think they are the same
resource := attrs.GetResource()
// If subresource, the resource in the policy must match "(resource)/(subresource)"
if sr := attrs.GetSubresource(); sr != "" {
resource = resource + "/" + sr
}
There was a problem hiding this comment.
They are not 100% same.
What if user has such illegal resource in policy: "pods/log/*" ?
There was a problem hiding this comment.
Should we support this illegal resource? I think we should not support wrong config.
There was a problem hiding this comment.
Should we support this illegal resource? I think we should not support wrong config.
With attrs.GetResource() == strings.TrimRight(res, "/*") we can avoid this, so why not?
There was a problem hiding this comment.
We validate policy format here:
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/apis/audit/validation/validation.go
There was a problem hiding this comment.
I know your meaning .
|
Just for reference: |
|
This is a change which has effect to users. |
OK, thanks |
k8s-ci-robot
added
release-note
|
FYI RBAC supports What's the use case here? Subresources can have dramatically different characteristics. |
How about "pods/log" "pods/status"? By the way, |
|
/retest |
|
@ericchiang Also I find in #48836 (comment) |
This seems hypothetical. Why not be explicit and enumerate them? "pod/status" and "pod/exec" have dramatically different security implications. Are there any resources where this would be useful since almost everything else just has /status and /scale. Not that this couldn't be useful, but do we even want to encourage pods/*? Which seems like obvious way to use this feature. |
|
@ericchiang Compared to other policy rules,such as rbac/initializer, etc. They all have Resources, but have little difference, some match "/subresource", some match "resource/" and some match "". I think we should support "resource/" wildcard matching at least, if not match all patterns. |
hzxuzhonghu
force-pushed
the
audit
branch
3 times, most recently
from
7011b3a to
3e0963c
Compare
|
Contents of the PR look reasonable, but the implications of this change are questionable from the security perspective |
@ericchiang This is a strong point for RBAC, but is it as strong an argument for auditing? For authorization decisions, we don't want to accidentally expose anything, but for auditing there's an argument for "I want to record all activity on pods". If a new subresource is added for pods, I probably do want to start recording activity for it. The power to use those endpoints (RBAC) should remain an explicit opt-in, but the power to record activity on those endpoints could reasonably desire to default on. |
@deads2k sure I can go for that. |
I was about to stress what @deads2k wrote above. If a new subresource comes in, you do want to know about it and react. I agree with majority here, I don't think there's a strong use-case for this. None of the resources we have already has that many subresources that it's a problem to list them. I'm in the camp for 'explicit is better than implicit'. |
|
/assign @deads2k |
|
Does this make sense, if so we should take it a step forward. |
|
@deads2k @ericchiang @soltysh Have you achieve an consensus? I would like this pr being merged in v1.10. |
|
@deads2k kind ping? |
I think we're there. |
| // 'pods/*' means all subresources of pods. | ||
| // '*/scale' means all scale subresources. | ||
| // | ||
| // If wildcard is present, the validation rule will ensure resources do not |
There was a problem hiding this comment.
If wildcard is present, the validation rule will ensure resources do not overlap with each other.
A little confused by this statement. What's it trying to indicate?
There was a problem hiding this comment.
It means Resources []string elements should not indicate same resource.
There was a problem hiding this comment.
What's wrong with when they overlap?
There was a problem hiding this comment.
I don't see any validation you're talking about.
There was a problem hiding this comment.
Yeah I don't see this either. Can you drop this sentence?
| // Resources is a list of resources this rule applies to. | ||
| // | ||
| // For example: | ||
| // 'pods' means pods. |
There was a problem hiding this comment.
nit: Use "matches" instead of "means"?
- 'pods' matches requests to pods
- 'pods/logs' matches requests to the logs subresource of pods
- '*' matches requests to all resources and subresources
- 'pods/*' matches requests to all subresources of pods
- '*/scale' matches requests to the scale subresource of any resource
|
Just doc questions, other than that lgtm |
| // 'pods/*' means all subresources of pods. | ||
| // '*/scale' means all scale subresources. | ||
| // | ||
| // If wildcard is present, the validation rule will ensure resources do not |
There was a problem hiding this comment.
What's wrong with when they overlap?
| // 'pods/*' means all subresources of pods. | ||
| // '*/scale' means all scale subresources. | ||
| // | ||
| // If wildcard is present, the validation rule will ensure resources do not |
There was a problem hiding this comment.
I don't see any validation you're talking about.
k8s-ci-robot
added
the
lgtm
|
@deads2k for approval. |
|
/retest |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hzxuzhonghu, soltysh, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these OWNERS Files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
audit policy support "resource/subresources" wildcard matching "resource/", "/subresource","*"
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #55305
Special notes for your reviewer:
Release note: